EScan, the security solution company has claimed that they’ve found major security flaws in MIUI 9. However, Xiaomi has denied the claims of EScan.
EScan has published 36-page report which points out the security flaws in MIUI 9. According to the report, MIUI 9 uninstalls mechanism and Mi Mover has major security issues that can affect users data.
Xiaomi has replied against the report and says, these statements are only true if someone gains the physical access of the device. As well as the device needs to be unlocked.
The company has also pointed out that they provide latest security system such as lock screen security features such as PINs, pattern locks, and the fingerprint sensor.
In terms of Mi Mover, it also comes with the addition of login layers. So data migration is not at risk unless the device is not stolen.
In its report, eScan claims “Xiaomi’s system apps have unknowingly introduced multiple flaws into the functional working of most of the apps. The functional aspects of Anti-Theft security apps and Android for Work apps are affected by the uninstall procedure implemented by Xiaomi. Furthermore, the MI-Mover app which assists in user data migration also poses significant threats to the installed apps. Although, Xiaomi alone cannot be held responsible; the app developers are also equally responsible for not taking into consideration that there existed a huge possibility of their application’s app-system-data getting cloned/ copied. This particular use-case existed since the day devices started getting rooted and app-system-storage was compromised. It’s surprising that app developers never realized that the data which they are storing on app-system-storage is vulnerable on rooted phones. Although Xiaomi’s MI Mover allows the users to copy all their data, it goes one step ahead and copies from the app-system-storage areas too.”
Xiaomi has relied on that report and says- “At Xiaomi, user privacy is of utmost importance.
Any perpetrator who gains physical access to an unlocked phone is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.
This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.
More importantly, in order to use Mi Mover, the smartphone has to be unlocked.
Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.
Further, as per the Escan report, “As part of exploiting the issue you describe, someone needs to take control of a user’s mobile phone and get that phone in an unlocked state. This is a very high barrier to entry and seems unlikely to happen commonly, making this more of a theoretical attack. The protection, in this case, is to not allow someone to steal and unlock your phone.”